Unified EFI images on Silverblue?

Not sure if this is the correct location to post this—I’d be grateful if someone could direct me to the right place if it’s not!

I’m looking for a way to get an unbroken chain of trust from EFI to the LUKS2-encrypted booted system, on Silverblue/Kinoite. I’ve looked over the options available to me and I’m not sure it’s possible right now:

  1. Using the default setup with a separate /boot partition leaves the initramfs unencrypted and unsigned, breaking the chain of trust.
  2. Grub 2.06 theoretically supports booting from a LUKS1 encrypted /boot, leaving the chain of trust intact, but Anaconda doesn’t support encrypted /boot. Besides, it doesn’t look like it’s possible to reliably upgrade a LUKS1 container to LUKS2.
  3. Generating a unified kernel image (that I can sign myself) doesn’t appear to be supported by ostree.

Going over the options available, it appears that the path of least resistance would be 3. Is there a way to get ostree and dracut to deploy and sign a unified image that I can boot from? I’ve found the kernel-install scripts in /usr/lib/kernel/install.d, and they seem to be “short-circuited” by 00-rpmostree-skip.install. Could I put my own script in there that generates a unified image, without messing with the ostree deployment process?

1 Like

You could let the installer create an unencrypted /boot then replace with an encrypted one after the fact.

I am not sure that would work. /boot would need to be unencrypted before the machine could boot and vmliuz has to handle the encryption. Having the tool to handle the encryption already encrypted seems a problem to me.

I think it needs to have /boot and /boot/efi unencrypted then everything else can be encrypted.

Grub can do the decryption. Many distros work this way.